Software Security: OpenJDK Vulnerabilities
Being Aware of OpenJDK Vulnerabilities
Thinking of making the switch to OpenJDK but have questions and concerns about security? You’re not alone and being security-focused is a good place to start when choosing to adopt OpenJDK. Like all open source software, it’s not perfect and can be prone to issues. The following are some noteworthy concerns about certain versions to be avoided.
Past Java Issues
In CVE-2014-0462 and CVE-2014-2405, there’s an unspecified vulnerability in versions of OpenJDK 6 before 6b31 on Ubuntu and Debian12.04 LTS and 10.04 LTS both through unknown impact and attack vectors that were severe enough to each receive a CVS score of 10. It’s noted however that they are separate vulnerabilities from one another.
Another unspecified vulnerability in CVE-2014-2483 and CVE-2014-4223 affects 7u60 of OpenJDK 7 which results in total information disclosure revealing all system files. The total loss of integrity compromises system protection entirely. This scored a hefty 9.3 and while both of these examples are for older versions of Java, we still see people using versions as old as these.
Modern OpenJDK Security Issues
Newer more modern vulnerabilities can be found in examples like CVE-2020-2803 from back in April of this year. This one affected 7u251, 87241, 11.0.6, and version 14. While difficult to exploit, this allowed unauthenticated attackers that already had network access via multiple protocols to compromise Java SE. For the attack to be successful, additional human interaction other than that of the attacker is required within Java SE, however, if successful the attack may impact additional products.
The typical target of this attack is Java deployments running sandboxed Java Web Start applications or Java applets that run untrusted code and rely on the sandbox for security. Servers that run only trusted code are unaffected by this vulnerability. CVS gave this a score of 8.3. Earlier in the year, there was another vulnerability with the same description, CVS-2020-2604 rated at 8.1.
Updating OpenJDK to Prevent Security Issues
Like so many other types of open source software, keeping your software up to date is the best practice to prevent your OpenJDK applications from becoming exposed. This sometimes is easier said than done in a production environment, and sometimes a patch is put out, but with keeping up to date, you’re keeping the structural integrity of your application in order.
Staying informed on CVE’s with OpenJDK is also easy as they have a security bulletin available here. There you can also find a link to be on their mailing list for security vulnerabilities. With such an active and robust community online, all the resources you could ever need for OpenJDK are right at the disposal of your fingertips.
Get Support to Update OpenJDK
Are you looking for Enterprise Architects with Java expertise? The team at OpenLogic by Perforce consists of passionate, experienced Enterprise Architects who provide end-to-end services to organizations so they can confidently gain the freedom and savings that come with using open source software. Learn more about open source Java services and support.
With OpenLogic, you can trust you'll be working with an experienced architect with a wealth of experience solving complex challenges in Java environments. Connect with one of our open source architects to get answers to your questions and to learn more about our JDK support, innovation, migration, and training!